From owner-freebsd-ipfw@freebsd.org Fri Dec 29 12:42:36 2017 Return-Path: Delivered-To: freebsd-ipfw@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id B07EAE876CB for ; Fri, 29 Dec 2017 12:42:36 +0000 (UTC) (envelope-from david@catwhisker.org) Received: from mx.catwhisker.org (mx.catwhisker.org [198.144.209.73]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 4B24568930 for ; Fri, 29 Dec 2017 12:42:36 +0000 (UTC) (envelope-from david@catwhisker.org) Received: from albert.catwhisker.org (localhost [127.0.0.1]) by albert.catwhisker.org (8.15.2/8.15.2) with ESMTP id vBTCKHQA065303; Fri, 29 Dec 2017 12:20:17 GMT (envelope-from david@albert.catwhisker.org) Received: (from david@localhost) by albert.catwhisker.org (8.15.2/8.15.2/Submit) id vBTCKHsq065302; Fri, 29 Dec 2017 04:20:17 -0800 (PST) (envelope-from david) Date: Fri, 29 Dec 2017 04:20:17 -0800 From: David Wolfskill To: =?utf-8?B?5pa55Z2k?= Cc: freebsd-ipfw@freebsd.org Subject: Re: ipfw rules for modern FreeBSD? Message-ID: <20171229122017.GO1555@albert.catwhisker.org> References: MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="dq1bAwW2kQB+exoT" Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.9.2 (2017-12-15) X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.25 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 29 Dec 2017 12:42:36 -0000 --dq1bAwW2kQB+exoT Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Fri, Dec 29, 2017 at 05:21:34PM +0800, =E6=96=B9=E5=9D=A4 wrote: > Dear ipfw maintainer, >=20 > I read the following from > https://www.freebsd.org/cgi/man.cgi?query=3Dipfw&sektion=3D8&manpath=3Dfr= eebsd-release-ports#end > .... > And, my firewall_script as follows: >=20 > #!/bin/sh >=20 > fwcmd=3D"/sbin/ipfw -q" >=20 > ${fwcmd} -f flush >=20 > ${fwcmd} add allow proto tcp src-ip me setup keep-state :default >=20 > ${fwcmd} add allow proto udp src-ip me keep-state :default >=20 >=20 >=20 > And, I found these rules is not protecting my FreeBSD box. >=20 > Question: How can I write ipfw rules for modern FreeBSD only? > ..... First, you need to determine what "protecting my FreeBSD box" means for your situation. Please note that whatever you determine at first, the result is likely to evolve over time. You will alsmost certainly benefit from a study of /etc/rc.firewall -- possibly to help you understand what kinds of "protection" ipfw can provide (and how to implement them) -- but also to help you clarify your own "protection" requirements. Peace, david --=20 David H. Wolfskill david@catwhisker.org If Trump is "taking names" re: the UN Jerusalem vote, he can add mine. See http://www.catwhisker.org/~david/publickey.gpg for my public key. --dq1bAwW2kQB+exoT Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQF8BAEBCgBmBQJaRjMBXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXRDQ0I3Q0VGOTE3QTgwMUY0MzA2NEQ3N0Ix NTM5Q0M0MEEwNDlFRTE3AAoJEBU5zECgSe4XlBQIAJrFWfhcqiQ/0bj4E9YP7KTt c7UqkCjS4HM16Epv/KjVdZSdFP96cBxiSS0UHPYGMEGQ2oP7+cUNJX9lONzckPaE 840gCBYx0RcvtoocmHNBisd8nJD9bIzY5xT5jBA4LS2G16zIMwKBiamCVxvIwH0f pNBPmNZwvcIhFc1z9yph16rgvKVqaJoUP0lYOI4pcHmH+5z0GyELpxVf8egboU/i lVkbf4wfXA0E6YlMTJy37ThK1fLV+c4jtwTT0uMUx3WaGYj/ik+X0jns0iCCVbvU vBrvoHNXkiR7b2hrsaEM7GsgI37F7RBb/hqjcnPM3CdXwCeesdDZAExtuDgRJe4= =Efho -----END PGP SIGNATURE----- --dq1bAwW2kQB+exoT--